<html>
<head><meta charset="utf-8"><title>automated fuzzing of stdlib · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html">automated fuzzing of stdlib</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="136548860"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136548860" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136548860">(Oct 26 2018 at 14:00)</a>:</h4>
<p>Speaking of which. I have an idea for a project that could significantly improve Rust stdlib security - I want to auto-generate fuzzing harnesses for Rust stdlib functions and run fuzzing on them. This would have discovered the previous CVE in Rust stdlib before it escaped into the wild. But to be effective this would need to run repeatedly because so far both Rust stdlib CVEs were introduced during refactoring. Maybe not run in CI, that'd be too expensive, but once per beta release or some such. <span class="user-mention" data-user-id="116013">@qmx</span>  would it be okay to ping you about resources to run this on if I actually get around to hacking this together?</p>



<a name="136552823"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136552823" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> qmx <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136552823">(Oct 26 2018 at 15:00)</a>:</h4>
<p>I can always ask, we already have NO as the default response <span class="emoji emoji-1f61d" title="stuck out tongue">:stuck_out_tongue:</span></p>



<a name="136560892"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136560892" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136560892">(Oct 26 2018 at 17:19)</a>:</h4>
<p>Google already has a project for this, and this sounds like a good fit: <a href="https://opensource.google.com/projects/oss-fuzz" target="_blank" title="https://opensource.google.com/projects/oss-fuzz">https://opensource.google.com/projects/oss-fuzz</a></p>



<a name="136567791"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136567791" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136567791">(Oct 26 2018 at 19:14)</a>:</h4>
<p>I am aware of oss-fuzz, but what I'm trying to do is rather different from the traditional fuzzer integration, and does not really fit that that mold. However, after reading up on it a bit more, I think integrating with oss-fuzz might be feasible. The big question is whether it will work with Rust code at all - it only officially supports C and C++.</p>



<a name="136569392"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136569392" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136569392">(Oct 26 2018 at 19:44)</a>:</h4>
<p>Ah. I don't know anything about oss-fuzz other than that it exists, so I can't be of much help here. I could try finding folks internally and putting you in touch with them if you want, though.</p>



<a name="136569848"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136569848" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136569848">(Oct 26 2018 at 19:52)</a>:</h4>
<p>That'd be stellar! It's a little early for that, though, but thanks for the offer! And I figure I'll try the regular channels first.<br>
I'm starting a job at Google myself in two weeks but I don't know what degree of access to those folks it will get me, if any.</p>



<a name="136569868"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136569868" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136569868">(Oct 26 2018 at 19:52)</a>:</h4>
<p>It will get you plenty of access. Not that there's not access to the public - just that it's easier to find out who they are if you can search internal documentation.</p>



<a name="136569892"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136569892" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136569892">(Oct 26 2018 at 19:53)</a>:</h4>
<p>Before I was at Google, I had a number of good experiences tracking down people who'd published a white paper or a product or something and getting them on GVC to ask them for advice on stuff.</p>



<a name="136569916"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136569916" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136569916">(Oct 26 2018 at 19:53)</a>:</h4>
<p>Well, I've been in touch with the author of AFL-fuzz before. What's GVC?</p>



<a name="136569986"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136569986" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136569986">(Oct 26 2018 at 19:54)</a>:</h4>
<p>Google Video Chat. I think it's an old name for the video chat aspect of Google Hangouts? I'm not really sure; it's just an acronym people use.</p>



<a name="136574162"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136574162" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136574162">(Oct 26 2018 at 21:11)</a>:</h4>
<p>I'm very familiar with oss-fuzz, I've done a bunch of integrations. It should handle Rust fine, though the existing <code>CFLAGS</code>/<code>CC</code> handling obviously won't help at all. The big challenge for your work is that the "unit of integration" for OSS-Fuzz by default is a libFuzzer entrypoint. So if you can structure your work in terms of a function that takes a <code>&amp;[u8]</code>, it'll be Just A Matter Of Engineering. Otherwise work will be required.</p>



<a name="136575172"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136575172" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136575172">(Oct 26 2018 at 21:28)</a>:</h4>
<p>Nice. I have a prototype for fuzzing the function with Rust stdlib's latest CVE that just accepts <code>&amp;[u8]</code> as input. <a href="https://gist.github.com/Shnatsel/4a907d44d6429de93d63d6e7c4d1361e" target="_blank" title="https://gist.github.com/Shnatsel/4a907d44d6429de93d63d6e7c4d1361e">This is how it looks</a>. Automatically generating such things for other functions should be fairly trivial, there are literally 3 lines that are specific to the function in the entire file. <br>
Sadly, in my tests this harness has failed to discover the vulnerability. I guess that's because I've been fuzzing on 64-bit, where most of the address space gets you OOM killed instantly. I should try it on 32-bit. I've tried getting a 32-bit chroot in Docker going to make the results reproducible, but I couldn't figure out how to get a 32-bit Docker container on a 64-bit machine without just copy-pasting the entire dockerfile for the base 32-bit image.</p>



<a name="136575446"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136575446" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136575446">(Oct 26 2018 at 21:33)</a>:</h4>
<p>Just so I understand this code, the input you're getting is just returned by the RNG as you request entropy from it -- not hashed and used as a seed or anything?</p>



<a name="136575618"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136575618" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136575618">(Oct 26 2018 at 21:37)</a>:</h4>
<p>Slightly off-topic: Does oss-fuzz or the Rust fuzzing harnesses you've been using support coverage-guided fuzzing?</p>



<a name="136576067"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576067" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576067">(Oct 26 2018 at 21:46)</a>:</h4>
<p>I've been only using coverage-guided fuzzing, the rest of it is vastly inferior and pretty useless. AFL, libfuzzer, honggfuzz are all coverage-guided, although honggfuzz did not start out that way.</p>



<a name="136576072"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576072" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576072">(Oct 26 2018 at 21:46)</a>:</h4>
<p>OSS-Fuzz is exclusively coverage guided fuzzing; it's libFuzzer + AFL</p>



<a name="136576094"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576094" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576094">(Oct 26 2018 at 21:47)</a>:</h4>
<p>(Technically that's not true, they have special cases for fuzzing SpiderMonkey, JSC, and Chakra which use a custom non-coverage guided fuzzer. But it's basically true.)</p>



<a name="136576100"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576100" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576100">(Oct 26 2018 at 21:47)</a>:</h4>
<p>OK cool</p>



<a name="136576151"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576151" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576151">(Oct 26 2018 at 21:48)</a>:</h4>
<p>so like <a href="https://github.com/vegard/prog-fuzz" target="_blank" title="https://github.com/vegard/prog-fuzz">https://github.com/vegard/prog-fuzz</a> but without the coverage feedback?</p>



<a name="136576190"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576190" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576190">(Oct 26 2018 at 21:49)</a>:</h4>
<p>No, it's a custom javascript fuzzer based on merging and mutating snippets from existing JS programs.</p>



<a name="136576312"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576312" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576312">(Oct 26 2018 at 21:51)</a>:</h4>
<p>prog-fuzz is basically a completely custom mutation strategy on top of AFL instrumentation feedback. Combining your custom mutation strategy with instrumentation feedback would probably get you better results, although you'd need a pretty big map size or use the (unreleased) coll-afl fork for such a big codebase to be manageable.<br>
Actually, doesn't Mozilla maintain a fork of AFL that lets you plug in custom mutation strategies using Python?</p>



<a name="136576385"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576385" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576385">(Oct 26 2018 at 21:52)</a>:</h4>
<p>I know that's something our fuzzing team used, dunno if we still work on it or not.</p>



<a name="136576530"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136576530" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136576530">(Oct 26 2018 at 21:55)</a>:</h4>
<p>As for the code I've linked - I've tried to get it to use the input as-is as much as possible, but at the same time I've tried to reuse the "arbitrary" trait made for QuickCheck that transforms <code>&amp;[u8]</code> into structures like strings which is geared towards PRNG output as input. So there's some boilerplate wrapping the input <code>&amp;[u8]</code> and pretending it's PRNG output. I'm still not 100% sure that it doesn't do weird things like hashing to the input, but I've tried to eliminate that.</p>



<a name="136577478"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/136577478" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#136577478">(Oct 26 2018 at 22:11)</a>:</h4>
<p>Okay, that was actually a really good question that prompted me to looked at the implementation of Arbitrary and supporting traits. Now I think I know what might be throwing off the fuzz harness. QuickCheck RNG wrapper accepts a size parameter that controls both the length of the generated strings and range of generated numbers, at the same time. This means that when I set it really high which is needed to generate a large number and trigger an overflow, it simply tries to generate a large string and fails because the size of fuzzer input is a few gigabytes short.</p>



<a name="137151822"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/137151822" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#137151822">(Nov 04 2018 at 10:52)</a>:</h4>
<p><span class="user-mention" data-user-id="132722">@Stuart Small</span> now that you're toying with <code>syn</code>, this thread is about a fairly simple but important project I've been meaning to get around to, but so far couldn't. It might be of interest to you. If you'd like to collaborate on this, I could handle the fuzzer part and let you have fun with <code>syn</code></p>



<a name="137165917"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/137165917" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#137165917">(Nov 04 2018 at 18:17)</a>:</h4>
<p>Oh man,  Great news.  I was really enjoying syn and looking forward to more with it.  I'll catch up on this thread</p>



<a name="137165965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/137165965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#137165965">(Nov 04 2018 at 18:18)</a>:</h4>
<p>Neat! I probably didn't describe what I'm trying to do in sufficient detail so feel free to ping me</p>



<a name="137165968"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/137165968" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#137165968">(Nov 04 2018 at 18:18)</a>:</h4>
<p>Will do.</p>



<a name="147448507"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/147448507" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#147448507">(Nov 10 2018 at 21:22)</a>:</h4>
<p><span class="user-mention" data-user-id="132722">@Stuart Small</span> I'll have tomorrow and the day after mostly free, so I'll probably be taking another stab at the automated fuzzing of stdlib, at the parts that do not involve <code>syn</code> because I still haven't looked into it. I should be available all day (in UTC+1 timezone) if you want to collaborate and/or have any questions.</p>



<a name="156573363"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/156573363" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#156573363">(Jan 22 2019 at 02:09)</a>:</h4>
<p>Okay, so, I've taken another stab at auto-generating fuzzing harnesses for functions based on type declarations. I have done the "parse the functions and methods and get types from them" part, it also converts the data into an intermediate representation that's convenient for fuzzing. I've also implemented pretty-printing for the intermediate representation. It parses the entire stdlib without panicking, so that's something. Haven't tried writing the generation pass yet, but judging by <a href="https://gist.github.com/Shnatsel/4a907d44d6429de93d63d6e7c4d1361e" target="_blank" title="https://gist.github.com/Shnatsel/4a907d44d6429de93d63d6e7c4d1361e">the template</a> it should not be all that hard. <br>
Stuff like <code>&amp;str</code> will give me trouble because it has no direct constructor, I'll have to special-case them. <br>
I'm also concerned about <code>use</code> statements, but perhaps there is an "expand everything" output from the compiler that turns them from relative to absolute? Visibility would probably still be an issue though.</p>



<a name="157944571"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/157944571" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#157944571">(Feb 09 2019 at 20:32)</a>:</h4>
<p>I've applied for copyright release for this project but got denied. This means that if I open-source it, it will come with a Google CLA attached, which includes copyright assignment among other things: <a href="https://cla.developers.google.com/clas/new?domain=DOMAIN_GOOGLE&amp;kind=KIND_INDIVIDUAL" target="_blank" title="https://cla.developers.google.com/clas/new?domain=DOMAIN_GOOGLE&amp;kind=KIND_INDIVIDUAL">https://cla.developers.google.com/clas/new?domain=DOMAIN_GOOGLE&amp;kind=KIND_INDIVIDUAL</a></p>
<p>There are two paths from here:<br>
1. Bite the bullet and attach the CLA to the project forever. I fear this would have a detrimental effect on the number of contributions, but I'd be interested to hear what you guys think.<br>
2. Get somebody outside Google to kick off the project based on public info. Since I've published the idea and a good chunk of implementation before I joined Google, the only thing the company has a claim to is ~40 lines of code that parse function definitions into structs and pretty-print those structs. So if somebody could re-implement that, I could join in afterwards and we'd have a non-CLA'd project. <br>
Frankly <a href="https://github.com/dtolnay/syn/issues/549#issuecomment-447613475" target="_blank" title="https://github.com/dtolnay/syn/issues/549#issuecomment-447613475">https://github.com/dtolnay/syn/issues/549#issuecomment-447613475</a> gets you most of the way there for parsing, and we can drop the pretty-printing. </p>
<p>The question is: are there any takers for option 2?</p>



<a name="158010011"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158010011" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158010011">(Feb 11 2019 at 06:35)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> so on a not-entirely-unrelated note I saw Google open sourced clusterfuzz</p>



<a name="158010015"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158010015" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158010015">(Feb 11 2019 at 06:35)</a>:</h4>
<p>could... that be used for this? I don't really know, just spitballing</p>



<a name="158714413"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158714413" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158714413">(Feb 16 2019 at 22:03)</a>:</h4>
<p>Well, @blt of <a href="https://github.com/blt/bughunt-rust" target="_blank" title="https://github.com/blt/bughunt-rust">bughunt-rust</a> fame considers it useful. Frankly I haven't looked into it.</p>



<a name="158714803"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158714803" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158714803">(Feb 16 2019 at 22:14)</a>:</h4>
<p>Also, <span class="user-mention" data-user-id="120179">@Eh2406</span> has independently implemented all parts of automated fuzzing harness generator that I was not allowed to release. I actually like their architecture more than mine. The code is now public and resides here: <a href="https://github.com/Eh2406/auto-fuzz-test" target="_blank" title="https://github.com/Eh2406/auto-fuzz-test">https://github.com/Eh2406/auto-fuzz-test</a><br>
It is already useful for generating <code>proptest</code> boilerplate - it gets you 80% there so you can focus on the stuff that matters.<br>
I'll be hacking on it in my spare time, mostly weekends. A coworker of mine has expressed interest in the project just this weekend, and unlike me he has some professional security experience. I hope he will join in soon as well.</p>



<a name="158723978"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158723978" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158723978">(Feb 17 2019 at 03:06)</a>:</h4>
<p>whoa, that sounds awesome in theory</p>



<a name="158753157"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158753157" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158753157">(Feb 17 2019 at 18:05)</a>:</h4>
<p>I just keep discovering more and more stuff that I've inspired: <a href="https://github.com/blt/bh_alloc" target="_blank" title="https://github.com/blt/bh_alloc">https://github.com/blt/bh_alloc</a><br>
I might actually use this, too.</p>



<a name="158759945"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158759945" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158759945">(Feb 17 2019 at 21:34)</a>:</h4>
<p>heh fun... almost thought it might be useful to me but I was thinking <code>no_std</code> which that crate definitely isn't</p>



<a name="158760233"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158760233" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158760233">(Feb 17 2019 at 21:42)</a>:</h4>
<p>Okay, so the initial implementation is in. Currently parses a hardcoded string, but the generated code should at least compile and maybe even find some bugs.</p>



<a name="158760525"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158760525" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158760525">(Feb 17 2019 at 21:51)</a>:</h4>
<p>It's too early to actually try using it, but hey, at least I'm making progress and shouldn't face any more legal hurdles</p>



<a name="158760633"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158760633" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158760633">(Feb 17 2019 at 21:55)</a>:</h4>
<p>In other fuzzing-related news: <code>png</code> crate authors didn't implement fuzzing on CI, so the crate has regressed and you can OOM-crash it again. <a href="https://github.com/PistonDevelopers/image-png/issues/103" target="_blank" title="https://github.com/PistonDevelopers/image-png/issues/103">https://github.com/PistonDevelopers/image-png/issues/103</a><br>
And I've dug up another vulnerability on rustc bug tracker that should have got a CVE, but didn't. Reported to Rust security team.</p>



<a name="158760892"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158760892" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158760892">(Feb 17 2019 at 22:02)</a>:</h4>
<p>orly</p>



<a name="158834167"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158834167" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158834167">(Feb 18 2019 at 22:42)</a>:</h4>
<p>I kid you not</p>



<a name="158834182"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158834182" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158834182">(Feb 18 2019 at 22:43)</a>:</h4>
<p>Also, this project is looking for a name: <a href="https://github.com/Eh2406/auto-fuzz-test/issues/2" target="_blank" title="https://github.com/Eh2406/auto-fuzz-test/issues/2">https://github.com/Eh2406/auto-fuzz-test/issues/2</a></p>



<a name="158837469"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158837469" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158837469">(Feb 18 2019 at 23:48)</a>:</h4>
<p>rust fleece.  It's all sorts of fuzzy hehe</p>



<a name="158900580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158900580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158900580">(Feb 19 2019 at 17:36)</a>:</h4>
<p>for fuzzing there's also <a href="http://fuzz.rs" target="_blank" title="http://fuzz.rs">fuzz.rs</a> (<a href="https://fuzz.rs/book/introduction.html" target="_blank" title="https://fuzz.rs/book/introduction.html">https://fuzz.rs/book/introduction.html</a>) - not sure if it was mentioned</p>



<a name="158902104"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158902104" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158902104">(Feb 19 2019 at 17:54)</a>:</h4>
<p>I'm planning on adding a section to that explaining how to use arbitrary in fuzz tests.  I wanna get a little more practice with it first so I don't add bad docs</p>



<a name="158909569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158909569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158909569">(Feb 19 2019 at 19:10)</a>:</h4>
<p>Using <code>Arbitrary</code> is exactly the approach I'm taking with the automated generator. I'm not sure if it's worth the trouble in case you have 1-2 harnesses, though. It's probably easier to construct the data type ad-hoc instead of bringing in all the complexity of Arbitrary, most of which is not necessary anyway.</p>



<a name="158909904"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158909904" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158909904">(Feb 19 2019 at 19:14)</a>:</h4>
<p>"fleece" is cool but both "cargo fleece" and "fleece fuzz" GOogle searches produce over a million results</p>



<a name="158912178"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158912178" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158912178">(Feb 19 2019 at 19:41)</a>:</h4>
<p>libfuzzer already has an automated generator, why not using that ?</p>



<a name="158912581"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158912581" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158912581">(Feb 19 2019 at 19:45)</a>:</h4>
<p>Huh? Automated generator of what? Last time I checked <code>cargo-fuzz</code> only created a project template, similar to <code>cargo new</code>. Did I overlook something?</p>



<a name="158920047"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158920047" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158920047">(Feb 19 2019 at 21:21)</a>:</h4>
<p>I've been using both afl and libfuzzer (mostly for testing for now - nothing serious), libfuzzer doesn't require a corpus to start working, but you can provide one and then it does the mutations (like afl)</p>



<a name="158920280"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158920280" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158920280">(Feb 19 2019 at 21:24)</a>:</h4>
<p>as far as names, how about the name of a fuzzy crab? :P <a href="https://en.wikipedia.org/wiki/Pilumnus_hirtellus" target="_blank" title="https://en.wikipedia.org/wiki/Pilumnus_hirtellus">https://en.wikipedia.org/wiki/Pilumnus_hirtellus</a></p>



<a name="158920293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158920293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158920293">(Feb 19 2019 at 21:24)</a>:</h4>
<p>or <a href="https://en.wikipedia.org/wiki/Kiwa_hirsuta" target="_blank" title="https://en.wikipedia.org/wiki/Kiwa_hirsuta">https://en.wikipedia.org/wiki/Kiwa_hirsuta</a></p>



<a name="158920815"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158920815" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158920815">(Feb 19 2019 at 21:31)</a>:</h4>
<p>Oh yeah, it's not about generating the corpus, afl/libfuzzer/honggfuzz handle that already. It's about generating the glue code that reads bytes from afl/libfuzzer/honggfuzz and feeds them to the function you want to fuzz, automatically and for every function in the library.</p>



<a name="158921199"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158921199" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158921199">(Feb 19 2019 at 21:36)</a>:</h4>
<p>"Hirtellus" is pretty uniqie, "cargo hirtellus" or "hirtellus fuzz" don't turn up many results. Googling "hirtellus" alone turns up a ton of results for a plant, though.</p>



<a name="158921235"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158921235" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158921235">(Feb 19 2019 at 21:37)</a>:</h4>
<p>"fuzzbiglib" without quotes is 0 results, so that's also an option</p>



<a name="158921306"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158921306" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158921306">(Feb 19 2019 at 21:38)</a>:</h4>
<p>I wonder if there is a library pun in here somewhere? I have no clue what book storage procedures look like, though.</p>



<a name="158921349"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158921349" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158921349">(Feb 19 2019 at 21:39)</a>:</h4>
<p>the best I've got is "fuzzandria" which is 2 results in google without quotes</p>



<a name="158922030"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158922030" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158922030">(Feb 19 2019 at 21:47)</a>:</h4>
<blockquote>
<p>Oh yeah, it's not about generating the corpus, afl/libfuzzer/honggfuzz handle that already. It's about generating the glue code that reads bytes from afl/libfuzzer/honggfuzz and feeds them to the function you want to fuzz, automatically and for every function in the library.</p>
</blockquote>
<p>understood</p>



<a name="158931332"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/158931332" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#158931332">(Feb 19 2019 at 23:53)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> have you tried to upgrade libfuzzer to master with cargo fuzz?</p>



<a name="159040703"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/159040703" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> maksimsco <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#159040703">(Feb 21 2019 at 04:49)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> why do you think nobody runs fuzzing on CI, is it too cumbersome or something?</p>



<a name="159041070"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/159041070" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Carosone <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#159041070">(Feb 21 2019 at 04:59)</a>:</h4>
<p>is it maybe to do with wanting repeatable test results (which fuzzing generally isn't if you randomise generation), or that you have a different interpretation of "test failure" (where someone needs to look over results)?  Unless you can have a relatively simple criterion (fuzz for N mins with no panics), it doesn't fit CI workflow well.</p>



<a name="159041164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/159041164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Carosone <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#159041164">(Feb 21 2019 at 05:00)</a>:</h4>
<p>to put it another way, perhaps CI is not a good place for a project to <em>start</em> fuzzing. Maybe once they've got a mature set of cases and robust error handling, they can CI fuzzing for regressions.</p>



<a name="159041316"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/159041316" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#159041316">(Feb 21 2019 at 05:04)</a>:</h4>
<p>I think the clusterfuzz model of continuous fuzzing that's seperate from CI, and then running all your regression test cases in CI makes more sense personally.</p>



<a name="163866125"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/163866125" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#163866125">(Apr 21 2019 at 20:25)</a>:</h4>
<p>A quick update: still working on <a href="https://github.com/Eh2406/auto-fuzz-test" target="_blank" title="https://github.com/Eh2406/auto-fuzz-test">https://github.com/Eh2406/auto-fuzz-test</a> on and off, but the progress is slow. There is a fork that adds a bunch of useful stuff, I need to drop the latest commit from it which is kinda misguided and then pull it in.</p>



<a name="163866156"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/automated%20fuzzing%20of%20stdlib/near/163866156" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/automated.20fuzzing.20of.20stdlib.html#163866156">(Apr 21 2019 at 20:26)</a>:</h4>
<p>Also maybe comment the code better to make it more approachable, it's kind of a mess right now.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>